From: "Покотиленко Костик" <casper@meteor.dp.ua>
To: thiago@powers.com.br
Cc: netfilter@lists.netfilter.org
Subject: Re: UDP port redirect
Date: Wed, 01 Aug 2007 10:05:05 +0300 [thread overview]
Message-ID: <1185951905.4759.12.camel@localhost.localdomain> (raw)
In-Reply-To: <OF83D375B4.D0B6CF03-ON83257329.007CF9E3-83257329.007EC41C@powers.com.br>
В Вто, 31/07/2007 в 20:04 -0300, thiago@powers.com.br пишет:
> Hello all,
>
> I got a problem when redirecting a UDP port. The rules are:
>
> # TCP port redirect - working fine:
>
> iptables -t nat -A PREROUTING -i <ext_if> -p tcp -d <ext_ip> --dport 22 -j
> DNAT -m state --state NEW --to <int_ip>:1194
> iptables -A FORWARD -i <ext_if> -p tcp -d <int_ip> --dport 1194 -m state
> --state NEW -j ACCEPT
"-m state --state NEW" - what is this for? Nat table only sees packets
initiating connection, isn't it?
> # UDP port redirect - not going through
>
> iptables -t nat -A PREROUTING -i <ext_if> -p udp -d <ext_ip> --dport 22 -j
> DNAT -m state --state NEW --to <int_ip>:1194
> iptables -A FORWARD -i <ext_if> -p udp -d <int_ip> --dport 1194 -m state
> --state NEW -j ACCEPT
You accepting NEW packets in filter table, consider make sure rest would
pass through.
> I hit the nat/prerouting rule, but never reach the filter/forward one.
> As you can see the only change I've made from the tcp rule to udp rule, is
> just the matching protocol.
> I can debug it a little more, but also would like to hear from you guys if
> you have any hints.
Also, I've experiensed situation for UDP when nat rules doesn't match because
there was such connection before the rule inserted and conntrack already saw
it and has it counted. UDP connection tracking (since it's a connectionless
protocol) goes by src/dst ports. Packets can belong to different
"connections". The solution for me was to stop UDP connection for several
minutes to make conntrack forget it and then try again.
> iptables v1.3.8
> 2.6.16.36-default
>
> Thanks !
>
> Thiago.
>
>
>
--
Покотиленко Костик <casper@meteor.dp.ua>
next prev parent reply other threads:[~2007-08-01 7:05 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-07-31 23:04 UDP port redirect thiago
2007-08-01 6:07 ` Martijn Lievaart
2007-08-01 7:05 ` Покотиленко Костик [this message]
-- strict thread matches above, loose matches on Subject: below --
2007-08-01 12:52 Thiago Lucas
2007-08-01 12:52 Thiago Lucas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1185951905.4759.12.camel@localhost.localdomain \
--to=casper@meteor.dp.ua \
--cc=netfilter@lists.netfilter.org \
--cc=thiago@powers.com.br \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.